Penetration Testing mailing list archives
Re: [PEN-TEST] stacking SQL requests
From: Nicolas Gregoire <nicolas.gregoire () 7THZONE COM>
Date: Wed, 30 Aug 2000 17:30:23 +0200
Emmanuel Gadaix a écrit :
That is, inputs such as: hisname' ; select sysdate from dual -- will result in: ERROR at line 2: ORA-00911: invalid character Anybody on the list has been playing with this on Oracle? Other databases?
Do you use a interface between your web-form and your DB ? For exemple, using Perl and the DBI.pm interface with the MySQL driver, it is impossible to execute something like : (select * from CLIENTS where nom="my_name" ; drop CLIENTS ) #)" when your input is : my_name" ; drop CLIENTS ) # because the DBI perl module forbid the excution of more than one command at the same time. I don't know for other DB ...., sorry (who know about a stored-procedure in MS SQL allowing to send results by mail ?)
Current thread:
- Re: [PEN-TEST] SQL Server blank account Curphey, Mark (ISS Atlanta) (Aug 29)
- <Possible follow-ups>
- Re: [PEN-TEST] SQL Server blank account Forrest Rae (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Stephen Arehart (Aug 29)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 30)
- Re: [PEN-TEST] stacking SQL requests M. Burnett (Aug 30)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] SQL Server blank account Andrew Lawton (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Alexander Sarras (SEA) (Aug 30)